THREAT INFORMATION

It has been reported that a version of Piriform CCleaner.exe has been compromised/trojanized resulting in the installation of multi-stage backdoor capable of receiving instructions from threat actors on affected systems. Listed below are the affected versions of CCleaner:

ARRIVAL AND INSTALLATION

The distribution of the compromised CCleaner came from the actual website of Piriform. Threat actors were able to compromise the CCleaner binary hosted in the website which resulted to the distribution of the malicious software to unsuspecting users. Since it came from a legitimate source and digitally signed, it would be almost impossible for users to identify that the software has been modified to perform malicious activity.

Trojanized CCleaner Distribution

Details

Public

Smart Scan and Conventional Scan

The following hashes related to the trojanized CCleaner are already detected as BKDR_CCHACK.A and BKDR_CCHAK.B using 13.671.00 by TrendMicro Smart and Conventional Patterns.

Web Reputation Service

Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

The following C&C servers associated with the trojanized CCleaner are already being blocked by TrendMicro Web Reputation Services

Predictive Machine Learning

Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.

Deep Discovery Inspector

Trend Micro Deep Discovery Inspector (DDI) is helpful in identifying the potentially impacted machines on the network. DDI has a rule to detect C&C connection attempts made by the trojanized CCleaner.

Rule ID 2497: CCHACK DNS Connection detected.

RECOMMENDATIONS FOR IT ADMIN

Upgrade to the latest version of CCleaner (the affected file version is 5.33.6162).

Monitor suspicious outbound connections from network monitoring appliance such as Deep Discovery Inspector. Outbound connection to a known C&C server is already an indication that the host machine is infected.

Prevent employees' the ability to download or install unapproved software. Trend Micro Endpoint Application Control can allow IT admins to determine the list of programs/files/processes that can run on systems.

Geolocation Notification

Please approve access on GeoIP location for us to better provide information based on your support region.
If your location now is different from your real support region, you may manually re-select support region
in the upper right corner or click here.